b'                      U.S. COMMODITY FUTURES TRADING COMMISSION\n                                            Three Lafayette Centre\n                                 1155 21st Street, NW, Washington, DC 20581\n                                         Telephone: (202) 418-5000\n                                          Facsimile: (202) 418-5521\n                                                 www.cftc.gov\n\n\n\n   Office of the                      MEMORANDUM\nInspector General\n\n\n\n\nTO:             Chairman Timothy Massad,\n                Commissioners: Scott O\'Malia, Mark Wetjen, Sharon Bowen, and J. Christopher\n                Giancarlo\n\nIFROM:          A. Roy Lavik\n                Inspector General\n                                 a R--\xc2\xa3.__\nDATE:           July 17, 2014\n\nSUBJECT:        Performance Audit Report# 14-P-05-DSIO\n\nAttached is the Commodity Futures Trading Commission (CFTC) Office of the Inspector General\n(OIG) audit report on:\n\n          "CFTC \'s Management Controls and Procedures for Evaluating Futures Commission\n         Merchants\'(FCM) and Retail Foreign Exchange Dealers\'(RFED) Compliance with\n         CFTC Financial Reporting Requirements Mandated by the Commodity Exchange Act and\n         the Dodd Frank Act"\n\nThe CFTC-OIG contracted with an independent public accounting firm, CliftonLarsonAllen to\nconduct this audit. The OIG monitored this audit and concurs with CliftonLarsonAllen\'s findings\nin the attached audit report. The findings were discussed with management in the Division of\nSwap Dealer and Intermediary Oversight; their comments are attached to the final report.\n\nShould you have any questions regarding this report, please do not hesitate to contact me.\n\nAttachments\n\x0c      \xc2\xb7,\n\n\n\n\n                                17\n              CliftonlarsonAllen\n\n\n\n U.S. COMMODITY FUTURES TRADING COMMISSION\n\n\n\n                           Report on\n            Management\'s Procedures for Evaluating\nFutures Commission Merchants and Retail Foreign Exchange Dealers\n        Compliance with Financial Reporting Requirements\n\x0c                                                   TABLE OF CONTENTS\n\n\nINTRODUCTION .......................................................................................................................... 1\nBACKGROUND ............................................................................................................................ 1\nSUMMARY OF RESULTS ............................................................................................................ 1\nSCOPE AND METHODOLOGY ................................................................................................... 2\n\n\n\n\nABBREVIATIONS\n\nCFTC                           U.S. Commodity Futures Trading Commission\nCLA                            CliftonLarsonAIIen LLP\nCEA                            Commodity Exchange Act\nDodd-Frank Act                 Dodd-Frank Wall Street Reform and Consumer Protection Act\nFCM                            Futures Commission Merchants\nFY                             Fiscal Year\nOIG                            Office of the Inspector General\nRFED                           Retail Foreign Exchange Dealers\nRSR                            Regulatory Statement Review\n\x0c  ..     :..\nINTRODUCTION\n\nThe U.S. Commodity Futures Trading Commission {CFTC) was created by the Congress in\n1974 as an independent agency with a mandate to regulate commodity futures and option\nmarkets in the United States. Its mission is to protect market participants and the public from\nfraud, manipulation, abusive practices, and systemic risk related to derivatives-both futures\nand swaps-and to foster transparent, open, competitive, and financially sound markets. In\ncarrying out its mission and to promote market integrity, CFTC polices the derivatives markets\nfor various abuses and works to ensure the protection of customer funds. The agency also\nseeks to lower the risk of the futures and swaps markets to the economy and the public. CFTC\'s\nfiscal years {FYs) 2012 and 2013 budgets were about $205 million and $308 million,\nrespectively.\n\nCliftonlarsonAIIen LLP {CLA) was engaged by CFTG\'s Office of the Inspector General {OIG) to\nconduct an audit of CFTC\'s management controls and procedures for evaluating Futures\nCommission Merchants\' {FCMs\') and Retail Foreign Exchange Dealers\' {RFEDs\') compliance\nwith CFTC financial reporting requirements mandated by the Commodity Exchange Act {CEA)\nand Dodd-Frank Wall Street Reform and Consumer Protection Act {Dodd-Frank Act). The\nobjective of this audit was to assist OIG in evaluating CFTC\'s management controls relating to\nits regulatory oversight of FCMs\' and RFEDs\' compliance with financial reporting requirements\nduring FYs 2012 and 2013. Our audit was limited to CFTC\'s oversight of FCMs and RFEDs\nholding customer funds.\n\nBACKGROUND\n\nCFTC\'s Division of Swap Dealer and Intermediary Oversight {DSIO) has responsibility for\noverseeing the registration and compliance of intermediaries and futures industry self-regulatory\norganizations, including U.S. derivatives exchanges and the National Futures Associations.\nUnder Dodd-Frank Act, DSIO is responsible for developing and monitoring compliance with\nregulations addressing registration, business conduct standards, capital adequacy, and margin\nrequirements for swap dealers and major swap participants. OSlO\'s New York Regional Office\nhas primary responsibility for ensuring and conducting reviews of FCMs\' and RFEDs\'\ncompliance with CFTC financial reporting requirements.\n\nAs required under CEA, FCMs and RFEDs are required to periodically file a variety of audited\nand unaudited financial reports and other information with CFTC each year. Such reports and\ninformation include statements of financial condition, computation of minimum capital\nrequirements, income, changes in ownership equity, changes in subordinated liabilities, and .\ncash flows.\n\nSUMMARY OF RESULTS\n\nOur audit found that CFTC had management controls to help achieve its regulatory oversight of\nFCMs\' and RFEDs\' compliance with CFTC financial reporting requirements during FYs 2012\nand 2013. Our analysis of a sample of FCMs and RFEDs reviewed by DSIO indicated that\nCFTC\'s prescribed procedures for conducting its reviews were generally followed. We identified,\nand communicated separately to management, certain matters about CFTC\'s control\ndeficiencies for which CFTC could take measures to strengthen its controls.\n\n\n\n\n                                               1\n\x0c                                                                                                 \xc2\xb7\'\nSCOPE AND METHODOLOGY\n\nOur audit scope was limited to evaluating CFTC\'s management controls toward achieving its\nregulatory oversight of FCMs\' and RFEDs\' compliance with financial reporting requirements\nduring FYs 2012 and 2013. Our audit was limited to CFTC\'s reviews of FCMs and RFEDs\nholding customer funds.\n\nWe reviewed CEA and Dodd-Frank Act provisions; CFTC financial rules, regulations, and\nprocedures, and specifically CFTC management contrQis and reviews of FCMs\' and RFEDs\'\ncompliance with financial reporting requirements. In addition, we interviewed CFTC\nheadquarters and OSlO\'s New York regional office officials about the management controls,\npolicies, and procedures used in reviewing FCMs\' and RFEDs\' compliance with financial\nreporting requirements. We also analyzed the reports and workpapers of a sample of FCMs and\nRFEDs reviewed by OSlO in FYs 2012 and 2013, and determined their compliance with\nfinancial reporting requirements. Regulatory Statement Re~iew (RSR) express is an internally\ndeveloped system used ~y CFTC to process and verify financial reports submitted by the FCMs\nand RFEDs. This system utilizes comprehensive edit and logic checks to analyze the financial\nreports for specific financial ratios and/or reportable events. CLA did not perform an Information\nTechnology system and security assessment or conduct an evaluation of the RSR express\'s\nfunctionality and capability.\n\nWe conducted this performance audit in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour conclusion based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our conclusion.           \xc2\xb7\n\n\nThis report is intended solely for the information and use of CFTC\'s management and OIG, and\nis not intended to be, and should not be, used by anyone other than these specified parties.\n\n\n\n\nCalverton, Maryland\nApril 25, 2014\n\n\n\n\n                                                2\n\x0c                                         \xe2\x80\xa2\n                            CliftonlarsonAllen\n                                                                     CliftonlarsonAIIen LLP\n                                                                     www.cliftonlarsonallen.com\n\n\n\n\nInspector General\nU.S. Commodity Futures Trading Commission\n\nIn planning and performing our performance audit of the U.S. Commodity Futures Trading Commission\'s\n(CFTC\'s) management controls and procedures for evaluating Futures Commission Merchants\' (FCMs\')\nand Retail Foreign Exchange Dealers\' (RFEDs\') compliance with CFTC financial reporting requirements\nmandated by the Commodity Exchange Act (CEA) and Dodd-Frank Wall Street Reform and Consumer\nProtection Act (Dodd-Frank Act) for fiscal years\xc2\xb72012 and 2013 in accordance with Government Auditing\nStandards, issued by the Comptroller General of the United States, we considered the entity\'s internal\ncontrol as a basis for designing procedures that are appropriate for this engagement.\n\nDuring our audit, we became aware of deficiencies in internal control other than significant deficiencies\nand material weaknesses and other matters that are opportunities to strengthen management\'s internal\ncontrol and improve the efficiency of CFTC\'s operations related to its oversight of the FCMs\' and RFEDs\'\ncompliance with the mandated financial reporting requirements referred to above.\n\nWhile the nature and magnitude of these other deficiencies in internal control were not considered\nimportant enough to merit the attention of those charged with governance, they are considered of\nsufficient importance to merit management\'s attention.\n\nWe did not audit CFTC\'s responses and, accordingly, we express no opinion on them.\n\nThis letter is intended solely for the information and use of the management of CFTC and its Office of\nthe Inspector General, and is not intended to be, and should not be, used by anyone other than these\nspecified parties.\n\n\n\n\nCalverton, Maryland\nApril 25, 2014\n\n\n\n\n                                                   1\n\x0c                                                                                                 EXHIBIT I\n                          U.S. COMMODITY FUTURES TRADING COMMISSION\n                                 MANAGEMENT LETTER COMMENTS\n                                       September 30, 2013\n\nFISCAL YEAR 2013 FINDINGS\n\n1. DIVISION OF SWAP DEALER AND INTERMEDIARY OVERSIGHT (DSIO) POLICIES AND PROCEDURES\n   FOR EVALUATING FCMs AND RFEDs COMPLIANCE WITH FINANCIAL REPORTING REQUIREMENTS\n\n   Conditions- During our review of the CFTC\'s assessment process used to monitor the FCMs\' and\n   RFEDs\' compliance with financial reporting requirements mandated by the CEA, we noted that OSlO\n   management did not have a formal policy in place to establish the staff hierarchy for OSlO reviews\n   of FCMs and RFEDs until June 2013. The policy required that a CT level 14 or above perform the\n   second review and approval of the FCMs\' and RFEDs\' compliance with the financial reporting\n   requirements. We examined the reviews conducted by OSlO staff and noted the following\n\n       \xe2\x80\xa2   In 2 of the 32 FCMs/RFEDs financial statements examined, the second/supervisory review\n           was performed by an auditor at a CT grade level13 or lower subsequent to the date of the\n           new policy.\n       \xe2\x80\xa2   In 13 of the 32 FCMs/RFEDs financial statements examined, the second/supervisory review\n           was performed by an auditor at a CT grade level 13 or below before the policy was\n           established.\n\n   In addition, we noted instances that the OSlO policies and procedures did not contain clear and\n   concise instructions to ensure the objectives of the review procedures were met. For example,\n   management\'s policy contained a procedure for its staff to investigate and document the cause of\n   material changes to specific line items during the examination of the FCMs and RFEDs financial\n   statements. However, the manual did not include a provision and/or parameter on what constitutes\n   a material change.\n\n   Recommendations- We recommend that CFTC:\n\n   1. Develop a documented monitoring process of control activities related to the supervisory review\n      of FCMs\' and RFEDs\' financial reporting compliance to ensure that the process is operating as\n      management intended to accomplish its control objective. The results of the monitoring\n      activities should be evaluated and any deficiency identified should be corrected by management\n      in a timely manner.\n\n   Management Response:\n   CFTC management concurred with Recommendation 1. However, management indicated a\n   monitoring process and controls have been in place since December 2013. Only the appropriate,\n   assigned staff can perform an initial and supervisory review of the financial statements. This is\n   controlled in two ways. First, the names of the staff and supervisors assigned to a particular firm are\n   coded directly into RSRexpress by the System Administrator (upon the request from an Associate\n   Director) thereby ensuring that only assigned individuals can sign off a supervisor review. Second, a\n   monthly report is generated for each Associate Director detailing the status of the monthly financial\n   review process and resolution of any issues noted. This report is summarized and presented to the\n   Deputy Director in a monthly status report highlighting any issues and reviews outstanding more\n\n\n\n\n                                                   2\n\x0c                                                                                                      EXHIBIT I\n              \xc2\xb7,               U.S. COMMODITY FUTURES TRADING COMMISSION\n                                      MANAGEMENT lETTER COMMENTS\n                                           September 30, 2013\n\n       than 30 days. If a financial review is outstanding for an extended period of time, appropriate actions\n       are taken by management.\n\n       Auditors Comments:\n       Management stated that a monitoring process and controls were placed in operations as of\n       December 31, 2013, approximately two months subsequent to the audit periods. As a result, we\n       could not determine the adequacy of control design or operating effectiveness of management\'s\n       corrective actions.\n\n       2.   Refine current policies and/or procedures manual to incorporate the review and/or research\n            criteria for material variances in all places mentioned in the manual. In addition, management\n            should review and determine whether any other vague criteria exist and update accordingly. All\n            documented policies and procedures should be clear, concise, and descriptive.\n\n       Management Response:\n       CFTC management did not concur with Recommendation 2. Management indicated that the\n       definition for materiality is set forth in CFTC interpretation 4-1 dated July 29, 1985, which clearly and\n       concisely states the definition in terms of a percentage. This definition has been readily accepted\n       and applied in practice by the Commission Staff, the Division of Enforcement and by the DSROs. This\n       definition was reviewed as recently as June 2013 in discussions with the DSROs and was reaffirmed\n       as appropriate at that time. Additionally, management performed a review of its procedures and\n       identified no "vague criteria" in its procedures.\n\n       Auditors Comments:\n       Management stated that a definition for materiality was set forth in CFTC interpretation 4-1.\n       However, the aforementioned interpretation addresses material error. The specific research\n       criterion for material variance was not defined in OSlO\'s policies and procedures. Such vague criteria\n       allows for inconsistent application of the procedure performed by staff.\n\n2. REGUlATORY STATEMENT REVIEW (RSR) EXPRESS\n\n       Condition- CFTC uses RSRexpress as an essential application to process and verify financial reports\n       submitted by the FCMs and RFEDs. RSRexpress is an internally modified information technology\n       system that utilizes comprehensive edit and logic checks to analyze the financial reports for specific\n       financial ratios and/or reportable events. The Office of Data and Technology management stated\n       that the RSRexpress system operates under the overall structure of the General Support System\n       {GSS) and has inherited all the information technology controls associated with GSS. However,\n       management was not able to provide documentation that supports the above assertion or\n       documentation that a security assessment was performed on RSRexpress.\n\n       Recommendation- We recommend that that CFTC management:\n\n       Review the current classification of RSRexpress as a minor application 1 and reevaluate the Federal\n       Information Processing System 199 categorization of RSRexpress. A further review of the data types\n\n1\n    See OMB Circular A-130 Appendix Ill for a discussion on major vs. minor system.\n\n\n\n                                                          3\n\x0c                                                                                         EXHIBIT I\n                      U.S. COMMODITY FUTURES TRAQING COMMISSION\n                             MANAGEMENT LETTER COMMENTS\n                                   September 30, 2013\n\nhoused in RSRexpress by the Office of Data and Technology will assist management in evaluating\nsecurity risks associated with the system. Once the assessment is performed, management should\nimplement the necessary controls to mitigate security risks identified with this system.\n\nManagement Response:\nManagement concurred with our recommendation. However, management stated that RSRexpress\ninherits controls from the CFTC General Support System (GSS or CFTC Network) for NIST 800-53\nRevision 3. The GSS is rated as a moderate impact system, as are all the other major CFTC systems.\nChanges to RSRexpress have been and will continue to be evaluated by the CFTC Security Impact\nAnalysis (SIA) component of the change management process, which considers controls for all of the\nNIST 800-53 Revision 3 control families. Eight such SIA reviews of RSRexpress changes have been\nconducted in FY 2013. However, management will reconsider, during its transition to compliance\nwith NIST 800-53 Revision 4, current Certification and Accreditation (C&A) boundaries and may\nadjust them in order to identify and manage risk as efficiently as possible.\n\nAuditor\'s Comments:\nManagement comments appear to be responsive to our recommendation. The CFTC Office of the\nInspector General should follow-up with management to ensure that the corrective action\nimplemented by management is effective\n\n\n\n\n                                              4\n\x0c                     U.S. COMMODITY FUTURES TRADING COMMISSION\n                       Division of Swap Dealer and Intermediary Oversight\n                                    140 Broadway, New York, NY 10005\n                                        Telephone: (646) 746-9834\n                                         Facsimile: (646) 746-9937\n                                         E-Mail: kpiccoli@cftc.gov\n\n\n\n                                                                              Kevin C. Piccoli\n                                                                              Deputy Director\nTo:           Tony Baptiste - OIG\nFrom:         Kevin Piccoli - DSIO Examinations\nCc:           Gary Barnett\nDate:         May 28,2014\nSubject:      Audit Report Management Comments\n\n\nTony- as requested, please find below our response to the Management Letter\nComments we received from your recent review of DSIO- Examinations group. Please\nlet me know if you have any comments or questions.\n\nRecommendation # 1.1\nManagement Response:\nA monitoring process and controls have been in place since December 2013. Only the\nappropriate, assigned staff can perform an initial and supervisory review of the financial\nstatements. This is controlled in two ways. First, the names of the staff and supervisors\nassigned to a particular firm are coded directly into RSRexpress by the System\nAdministrator (upon the request from an Associate Director) thereby ensuring that only\nassigned individuals can sign off a supervisor review. Second, a monthly report is\ngenerated for each Associate Director detailing the status of the monthly financial\nreview process and resolution of any issues noted. This report is summarized and\npresented to the Deputy Director in a monthly status report highlighting any issues and\nreviews outstanding more than 30 days. If a financial review is outstanding for an\nextended period of time, appropriate actions are taken by management.\n\nConcur: Yes _X_ No\n\nRecommendation #1.2\nManagement Response:\nThe definition for materiality is set forth in CFTC interpretation 4-1 dated July 29, 1985\nwhich clearly and concisely states the definition in terms of a percentage. This\ndefinition has been readily accepted and applied in practice by the Commission Staff,\nthe Division of Enforcement and by the DSROs. This definition was reviewed as\nrecently as June 2013 in discussions with the DSROs and was reaffirmed as\nappropriate at that time. Additionally, we have performed a review of our procedures\nand identified no "vague criteria" in our procedures.\n\nConcur: Yes         No_X_\n\x0cRecommendation #2.1\nManagement Response:\nRSRexpress inherits controls from the CFTC General Support System (GSS or CFTC\nNetwork) for NIST 800-53 Revision 3. The GSS is rated as a moderate impact system,\nas are all the other major CFTC systems. Changes to RSRexpress have been and will\ncontinue to be evaluated by the CFTC Security Impact Analysis (SIA) component of the\nchange management process, which considers controls for all of the NIST 800-53\nRevision 3 control families. Eight such SIA reviews of RSRexpress changes have been\nconducted in FY 2013. However, the CFTC will reconsider, during its transition to\ncompliance with NIST 800-53 Revision 4, current Certification and Accreditation (C&A)\nboundaries and may adjust them in order to identify and manage risk as efficiently as\npossible.\n\nConcur: Yes X      No\n\x0c'